From 8c9b49f5c3454ea8a2a150dd2914f983a96b864d Mon Sep 17 00:00:00 2001
From: ahtlon <git@ahtlon.de>
Date: Wed, 17 Jun 2026 10:34:11 +0200
Subject: [PATCH] Hardcode grafana security key Grafana's secret key
 (services.grafana.settings.security.secret_key) doesn't have a default  value
 anymore. Please generate your own and use a file-provider on this option! See
 also
 https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#secret_key
 for more information. See
 https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-database-encryption/#re-encrypt-secrets
 on how to re-encrypt. As stated in the NixOS changelog for 26.05, there's no
 official way to rotate.  Either hard-code the old key
 ("SW2YcwTIb9zpOOhoPsMm") if your setup doesn't have any secrets in the DB
 that need special protection or perform a rotation with a 3rd-party tool
 (https://github.com/erooke/grafana-secretkey-rotation-tool/tree/d9dc788902fa5185e15cb15ce6129f7237ab6138).

---
 machines/overwatch/configuration.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/machines/overwatch/configuration.nix b/machines/overwatch/configuration.nix
index 06cac14..0454632 100644
--- a/machines/overwatch/configuration.nix
+++ b/machines/overwatch/configuration.nix
@@ -37,6 +37,7 @@ in
   services.grafana = {
     enable = true;
     settings = {
+      security.secret_key = "SW2YcwTIb9zpOOhoPsMm";
       server = {
         domain = "grafana.malobeo.org";
         http_port = 2342;